Two or Seven Cents on Yahoo’s Fine

There are many numbers associated with the Company-Formerly-Known-As-Yahoo’s 2014 data breach fine.

3,000,000,000 users impacted and accounts compromised.

500,000,000 impacted users reported late by Yahoo.

$35,000,000 in fines levied by the Securities and Exchange Commission.

The vast majority of these and other numbers associated with the largest data breach in history are incomprehensible. I can’t visualize what three billion people looks like. But one number in this saga stands out to me, and it’s one I can understand by count on two hands: seven.

When comparing the SEC’s total $35 million fine levied against Yahoo and the three billion users impacted by its breach, the penalty was only $0.07 per account. This figure is outrageously low and fails to recognize the true financial harms users experience when their data is irresponsibly managed and compromised.

In February 2017, CNBC reported that the mean cost to identity theft victims was $1038. A punishment of only $0.07 per account for Yahoo sets a dangerous precedent that will fail to properly deter companies from lax reporting in the future. Companies who fail to properly protect user data and are slow to report breaches can do so because the consequences are nearly inconsequential for those with balance sheets like Yahoo’s. Ultimately, users are left to foot the bill and live with the consequences of a compromised identity.

Luckily, it’s not all bad news. GDPR is on the horizon and will focus executive attention on this topic in a very important, meaningful way. Consequences outlined by GDPR regulation for failure to protect data and properly report breaches can effectively bankrupt a company. The fine is substantial – 4% of global revenues – but it goes beyond simple income. The brand damage will cost loss of customer relationships and make customer acquisition much more expensive, and remediation costs from class action lawsuits will require loss provisions – all of which tie up precious capital.

GDPR does all the right things that Yahoo, Uber, Morgan Stanley, MyFitnessPal, Anthem, Panerabread and every company who treats user data irresponsibly does not. GDPR regulation puts consumers in control of their data and holds organizations accountable. GDPR is coming, and all seven billion of us should be excited.